FortiDDos DDoS Attack Mitigation Guide - Fortinet

More documents

Recommendations

Info

DDoS attack test conditions - a broad classification Following diagram shows a more complex test bed. The appliances SmartBits and Avalanche are packet generators. Such setups are typically used for third-party performance tests. Figure 10: A more complex test bench DDoS attack test conditions - a broad classification DDoS attacks can be broadly classified into following categories: Spoofed floods vs. non-spoofed floods A spoofed flood sends packets that seem to come from an IP that either does not exist or did not actually send the packet. A non-spoofed flood on the other hand comes from real IP addresses. Due to proliferation of botnets, it is quite common these days to see non-spoofed attacks coming from a large number of sources. Anomalous header floods These are packets which are typically generated by scripts. Scripts simple use loops to increment certain header parameters. Since many of these header parameter values may not be valid from standards perspective, they are anomalous. Examples of these attacks are packets with invalid TCP flag combinations. If a packet has flags such as RST, FIN, SYN, and ACK set simultaneously, it is anomalous. FortiDDoS DDoS Attack Mitigation Guide 28-100-167076-20120501 26 http://docs.fortinet.com/ • Feedback
Attacks to test functionality and performance Anomalous state floods Protocols such as TCP are stateful. They follow predefined state transition rules. When scripted bots generate attacks, they violate many of these rules. Examples of such attacks are ACK packets coming without connection establishment, out of TCP window packets etc. Limited sources versus large number of sources floods Some DDoS attacks are launched using very limited number of sources while some others are launched with a very large number of sources. It is easy to launch a spoofed attack with a seemingly large number of sources. To launch a non-spoofed large number source attack, you need a control over a large botnet. Layer 3, 4 or 7 DDoS attack It is possible to launch DDoS attacks on different network layers. Over the Internet, one can launch Layer 3, 4 or 7 attacks. Example of Layer 3 attacks are protocol floods such as ICMP floods, TCP floods, fragment floods. These are created using a variation in the layer 3 headers. Example of layer 4 floods are port floods (TCP or UDP). In these attacks, a single port is continuously attacked. ICMP echo flood are also of this kind. Example of layer 7 floods are URL floods. In this attack, a single URL is continuously attacked from multiple sources. Random header parameter attack It is easy to create DDoS attacks in which some specific header parameter is continuously varying. Examples are TCP random flag flooding, IP option flooding, TCP option flooding etc. Blended attack It is easy to create DDoS attacks in which many attacks are combined to further confuse the destination. Examples are port floods on TCP and UDP simultaneously. Attacks to test functionality and performance Spoofed syn flood attack This is a layer 4 spoofed flood in which the attacker sends TCP SYN packets in which the IP addresses are continuously changing. FortiDDoS DDoS Attack Mitigation Guide 28-100-167076-20120501 27 http://docs.fortinet.com/ • Feedback
Page 1 and 2: FortiDDoS DDoS Attack Mitigation Gu
Page 3 and 4: Table of Contents Introduction.....
Page 5 and 6: independent devices ...............
Page 7 and 8: Introduction Defining DDoS attacks
Page 9 and 10: Virus infections, botnets and distr
Page 11 and 12: Myths and realities about DDoS atta
Page 13 and 14: Anti-DDoS appliances Anti-DDoS appl
Page 15 and 16: Things to look for in Anti-DDoS equ
Page 17 and 18: Support for IPv6 will become import
Page 19 and 20: Source rate limiting Source rate li
Page 21 and 22: Botnet Attack Mitigation Overview o
Page 23 and 24: Can you do the same processing in C
Page 25 and 26: A very simple deployment Figure 4:
Page 27 and 28: Typical deployment for an internet
Page 29 and 30: DDoS and SaaS Model for E-Commerce
Page 31: Testing a Mitigation System Introdu
Page 35 and 36: Attacks to test functionality and p
Page 37 and 38: Attacks to test functionality and p
Page 39 and 40: Conclusion Conclusion Spoofed ICMP
Page 41 and 42: Virtual partitioning and multiple p
Page 43 and 44: Role based management and audit tra
Page 45: Conclusion Conclusion Buying a DDoS

FortiDDos DDoS Attack Mitigation Guide - Fortinet

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?